The maintainers of the Jetpack WordPress plugin have launched a safety replace to remediate a essential vulnerability that might permit logged-in customers to entry varieties submitted by others on a website.
Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that provides a complete suite of instruments to enhance website security, efficiency, and visitors development. It is used on 27 million WordPress websites, in keeping with its web site.
The difficulty is claimed to have been recognized by Jetpack throughout an inside safety audit and has persevered since model 3.9.9, launched in 2016.
The vulnerability resides within the Contact Kind characteristic in Jetpack, and “might be utilized by any logged in customers on a website to learn varieties submitted by guests on the location,” Jetpack’s Jeremy Herve stated.
Jetpack stated it is labored intently with the WordPress.org Safety Group to robotically replace the plugin to a protected model on put in websites.
The shortcoming has been addressed within the following 101 completely different variations of Jetpack –
13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10
Whereas there isn’t any proof that the vulnerability has ever been exploited within the wild, there’s a chance that it might be abused going ahead in gentle of public disclosure.
It is price noting that Jetpack rolled out related fixes for one more essential flaw within the Jetpack plugin in June 2023 that had been current since November 2012.
The event comes amid an ongoing dispute between WordPress founder Matt Mullenweg and internet hosting supplier WP Engine, with WordPress.org taking management of the latter’s Superior Customized Fields (ACF) plugin to create its personal fork known as Safe Customized Fields.
“SCF has been up to date to take away business upsells and repair a safety downside,” Mullenweg stated. “This replace is as minimal as potential to repair the safety situation.”
WordPress didn’t disclose the precise nature of the safety downside, however stated it has to do with $_REQUEST. It additional stated the problem has been addressed in model 6.3.6.2 of Safe Customized Fields.
“Their code is at present insecure, and it’s a dereliction of their responsibility to prospects for them to inform folks to keep away from Safe Customized Fields till they repair their vulnerability,” WordPress famous. “We’ve additionally notified them of this privately, however they didn’t reply.”
WP Engine, in a submit on X, claimed WordPress has by no means “unilaterally and forcibly” taken an actively developed plugin “from its creator with out consent.”
In response, WordPress stated “this has occurred a number of occasions earlier than,” and that it reserves the fitting to disable or take away any plugin from the listing, take away developer entry to a plugin, or change it “with out developer consent” within the curiosity of public security.
